EasyManua.ls Logo

Juniper Junos OS - Page 51

Juniper Junos OS
158 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
To configure security zones and policies:
1.
Delete the interface ge-0/0/1 from family ethernet-switching (factory configuration)
and assign an IP address.
[edit]
user@srx210-host# delete interfaces ge-0/0/1 unit 0 family ethernet-switching
user@srx210-host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
2. Configure a new security zone (DMZ) and assign interfaces.
[edit]
user@srx210-host# set security zones security-zone DMZ interfaces ge-0/0/1
host-inbound-traffic system-services all
3. Create address books in the DMZ zone.
[edit]
user@srx210-host# set security zones security-zone DMZ address-book address
Server-HTTP-1 192.168.2.2/32
user@srx210-host# set security zones security-zone DMZ address-book address
Server-HTTP-2 192.168.2.3/32
user@srx210-host# set security zones security-zone DMZ address-book address
Server-SMTP 192.168.2.4/32
4. Create address sets in the DMZ zone to group HTTP server addresses together.
[edit]
user@srx210-host# set security zones security-zone DMZ address-book address-set
DMZ-address-set-http address Server-HTTP-1
user@srx210-host# set security zones security-zone DMZ address-book address-set
DMZ-address-set-http address Server-HTTP-2
5. Create address books in the trust zone.
[edit]
user@srx210-host# set security zones security-zone trust address-book address
PC-Trust 192.168.1.2/32
6. Create an interzone policy to permit SMTP traffic from the trust zone to the DMZ zone.
[edit]
user@srx210-host# set security policies from-zone trust to-zone DMZ policy
permit-mail-trust-DMZ match source-address PC-Trust
user@srx210-host# set security policies from-zone trust to-zone DMZ policy
permit-mail-trust-DMZ match destination-address Server-SMTP
user@srx210-host# set security policies from-zone trust to-zone DMZ policy
permit-mail-trust-DMZ match application junos-smtp
user@srx210-host# set security policies from-zone trust to-zone DMZ policy
permit-mail-trust-DMZ then permit
7. Create an intrazone policy to permit HTTP traffic between the two servers in the DMZ
zone.
[edit]
user@srx210-host# set security policies from-zone DMZ to-zone DMZ policy
permit-http-in-DMZ match source-address DMZ-address-set-http
user@srx210-host# set security policies from-zone DMZ to-zone DMZ policy
permit-http-in-DMZ match destination-address DMZ-address-set-http
35Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuring Security Zones and Policies for SRX Series

Table of Contents

Related product manuals